Gecko [ eachadeal.com ]

Name	Size	Permission	Date
common	[ DIR ]	drwxr-xr-x	2025-10-28 18:03
ftrace_hooks	[ DIR ]	drwxr-xr-x	2025-10-28 18:03
lsm_hooks	[ DIR ]	drwxr-xr-x	2025-10-28 18:03
syscall_hooks	[ DIR ]	drwxr-xr-x	2025-10-28 18:03
transport	[ DIR ]	drwxr-xr-x	2025-10-28 18:03
Kbuild	10.29 KB	-rw-r--r--	2025-10-28 18:03
Makefile	2.23 KB	-rw-r--r--	2025-10-28 18:03
compat.c	8.42 KB	-rw-r--r--	2025-10-28 18:03
compat.h	11.98 KB	-rw-r--r--	2025-10-28 18:03
debug.h	3.56 KB	-rw-r--r--	2025-10-28 18:03
dkms.conf	146 B	-rw-r--r--	2025-10-28 18:03
file_contexts.c	60.43 KB	-rw-r--r--	2025-10-28 18:03
file_contexts.h	6.21 KB	-rw-r--r--	2025-10-28 18:03
file_contexts_priv.h	5.48 KB	-rw-r--r--	2025-10-28 18:03
file_handle_tools.h	2.53 KB	-rw-r--r--	2025-10-28 18:03
file_key_tools.h	950 B	-rw-r--r--	2025-10-28 18:03
file_path_tools.h	2.09 KB	-rw-r--r--	2025-10-28 18:03
hashtable_compat.h	2.73 KB	-rw-r--r--	2025-10-28 18:03
hook_trampoline_common.h	4.29 KB	-rw-r--r--	2025-10-28 18:03
interval_tree.h	779 B	-rw-r--r--	2025-10-28 18:03
memory.c	3.31 KB	-rw-r--r--	2025-10-28 18:03
memory.h	2.99 KB	-rw-r--r--	2025-10-28 18:03
module.c	2.67 KB	-rw-r--r--	2025-10-28 18:03
module_ref.h	421 B	-rw-r--r--	2025-10-28 18:03
module_rundown_protection.c	3.64 KB	-rw-r--r--	2025-10-28 18:03
module_rundown_protection.h	743 B	-rw-r--r--	2025-10-28 18:03
path_tools.h	6.06 KB	-rw-r--r--	2025-10-28 18:03
rundown_protection.c	4.2 KB	-rw-r--r--	2025-10-28 18:03
rundown_protection.h	2.83 KB	-rw-r--r--	2025-10-28 18:03
safe_kobject.h	1.28 KB	-rw-r--r--	2025-10-28 18:03
si_common.h	4.3 KB	-rw-r--r--	2025-10-28 18:03
si_fp_properties.h	858 B	-rw-r--r--	2025-10-28 18:03
si_fp_properties_x.h	18.53 KB	-rw-r--r--	2025-10-28 18:03
si_fp_value_types.h	515 B	-rw-r--r--	2025-10-28 18:03
si_fp_value_types_x.h	1.25 KB	-rw-r--r--	2025-10-28 18:03
si_size.h	4.26 KB	-rw-r--r--	2025-10-28 18:03
si_templates.h	2.99 KB	-rw-r--r--	2025-10-28 18:03
si_writer.h	7.52 KB	-rw-r--r--	2025-10-28 18:03
si_writer_common.h	14.63 KB	-rw-r--r--	2025-10-28 18:03
stringify.h	261 B	-rw-r--r--	2025-10-28 18:03
task_info_map.c	17.1 KB	-rw-r--r--	2025-10-28 18:03
task_info_map.h	6.33 KB	-rw-r--r--	2025-10-28 18:03
task_tools.h	1.34 KB	-rw-r--r--	2025-10-28 18:03
tracepoints.c	3.58 KB	-rw-r--r--	2025-10-28 18:03
tracepoints.h	299 B	-rw-r--r--	2025-10-28 18:03
write_protection.h	2.2 KB	-rw-r--r--	2025-10-28 18:03

Rename

/**
@file
@brief    'exec', 'exit' and 'fork' tracepoints
@details  Copyright (c) 2017-2021 Acronis International GmbH
@author   Mikhail Krivtsov (mikhail.krivtsov@acronis.com)
@since    $Id: $
*/

#include "tracepoints.h"

#include "compat.h"
#include "debug.h"
#include "exit_event.h"
#include "exec_event.h"
#include "ftrace_hooks/ftrace_events.h"
#include "fork_event.h"
#include "memory.h"
#include "message.h"

#include <linux/binfmts.h>
#include <linux/dcache.h>	// d_path
#include <linux/file.h>		// fput()
#include <linux/fs.h>		// struct file
#include <linux/limits.h>	// PATH_MAX
#include <linux/mm.h>		// get_task_exe_file()
#include <linux/mm_types.h>	// struct mm_struct
#include <linux/path.h>		// struct path
#ifndef KERNEL_MOCK
#include <linux/sched.h>	// struct task_struct
#else
#include <mock/mock_sched.h>
#endif
#include <linux/tracepoint.h>
#include <linux/version.h>	// LINUX_VERSION_CODE, KERNEL_VERSION()
#include <trace/events/sched.h>	// TRACE_EVENT(sched_*)

#ifdef HAVE_SCHED_PROCESS_EXEC_TRACEPOINT
static bool g_registered_exec = false;
#endif
static bool g_registered_exit = false;
static bool g_registered_fork = false;

static TRACE_CB_PROTO(sched_process_exit,
		TP_PROTO(struct task_struct *p))
{
	DPRINTF("exit() p=%p { pid=%d tgid=%d }", p, p->pid, p->tgid);
	exit_event_nowait(p);
}

/*
 * Here the caller only guarantees locking for struct file and struct inode.
 * Locking must therefore be done in the probe to use the dentry.
 */
static TRACE_CB_PROTO(sched_process_fork,
		TP_PROTO(struct task_struct *current_macro,
				struct task_struct *p))
{
	DPRINTF("fork() current=%p { pid=%d tgid=%d comm='%s' } "
		"p=%p { pid=%d tgid=%d comm='%s' }",
		current_macro, current_macro->pid, current_macro->tgid,
				current_macro->comm,
		p, p->pid, p->tgid, p->comm);
	fork_event_nowait(current_macro, p);
}

#ifdef HAVE_SCHED_PROCESS_EXEC_TRACEPOINT
static TRACE_CB_PROTO(sched_process_exec,
		TP_PROTO(struct task_struct *p, pid_t old_pid, struct linux_binprm *bprm))
{
	DPRINTF("exec() p=%p { pid=%d tgid=%d comm='%s' }", p, p->pid, p->tgid, p->comm);
	exec_event_nowait(p, bprm);
}
#endif

int tracepoints_attach(void)
{
	int ret;

if (!ftrace_post_event_have(FTRACE_POST_EVENT_EXIT)) {
		ret = REGISTER_TRACE(sched_process_exit, TRACE_CB_NAME(sched_process_exit));
		if (ret) {
			EPRINTF("'register_trace_sched_process_exit()' failure %i", ret);
			goto fail;
		}
		g_registered_exit = true;
	}

if (!ftrace_post_event_have(FTRACE_POST_EVENT_FORK)) {
		ret = REGISTER_TRACE(sched_process_fork, TRACE_CB_NAME(sched_process_fork));
		if (ret) {
			EPRINTF("'register_trace_sched_process_fork()' failure %i", ret);
			goto fail;
		}
		g_registered_fork = true;
	}

#ifdef HAVE_SCHED_PROCESS_EXEC_TRACEPOINT
	if (!ftrace_post_event_have(FTRACE_POST_EVENT_EXEC)) {
		ret = REGISTER_TRACE(sched_process_exec, TRACE_CB_NAME(sched_process_exec));
		if (ret) {
			EPRINTF("'register_trace_sched_process_exec()' failure %i", ret);
			goto fail;
		}
		g_registered_exec = true;
	}
#endif

IPRINTF("tracepoints attached");
	return 0;

fail:
	tracepoints_detach();
	return ret;
}

void tracepoints_detach(void)
{
	if (g_registered_fork) {
		UNREGISTER_TRACE(sched_process_fork, TRACE_CB_NAME(sched_process_fork));
		g_registered_fork = false;
	}
	if (g_registered_exit) {
		UNREGISTER_TRACE(sched_process_exit, TRACE_CB_NAME(sched_process_exit));
		g_registered_exit = false;
	}
#ifdef HAVE_SCHED_PROCESS_EXEC_TRACEPOINT
	if (g_registered_exec) {
		UNREGISTER_TRACE(sched_process_exec, TRACE_CB_NAME(sched_process_exec));
		g_registered_exec = false;
	}
#endif
	tracepoint_synchronize_unregister();
	IPRINTF("tracepoints detached");
}